syzbot


KASAN: use-after-free Read in nft_table_lookup

Status: closed as invalid on 2021/08/31 02:52
Subsystems: netfilter
[Documentation on labels]
First crash: 1051d, last: 1051d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in nft_table_lookup (2) netfilter syz done 1 1019d 1015d 20/27 fixed on 2022/03/08 16:11

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in strlen+0x79/0x90 lib/string.c:565
Read of size 1 at addr ffff888017d7bb40 by task syz-executor.4/20536

CPU: 1 PID: 20536 Comm: syz-executor.4 Not tainted 5.14.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
 strlen+0x79/0x90 lib/string.c:565
 strlen include/linux/fortify-string.h:60 [inline]
 nla_strcmp+0x26/0x130 lib/nlattr.c:826
 nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570
 nft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline]
 nf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064
 nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
 nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:654
 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
 netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:724
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2403
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2457
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2486
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f59d6a8b188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9
RDX: 0000000000000000 RSI: 0000000020000d80 RDI: 0000000000000004
RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffebd02b76f R14: 00007f59d6a8b300 R15: 0000000000022000

Allocated by task 20536:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:596 [inline]
 nla_strdup+0xc8/0x150 lib/nlattr.c:769
 nf_tables_newtable+0xe5e/0x1b40 net/netfilter/nf_tables_api.c:1116
 nfnetlink_rcv_batch+0x1710/0x25f0 net/netfilter/nfnetlink.c:513
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]
 nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:652
 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
 netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:724
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2403
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2457
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2486
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 20535:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1625 [inline]
 slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1650
 slab_free mm/slub.c:3210 [inline]
 kfree+0xe4/0x530 mm/slub.c:4264
 nf_tables_table_destroy+0xd2/0x1b0 net/netfilter/nf_tables_api.c:1313
 __nft_release_table+0xabc/0xe30 net/netfilter/nf_tables_api.c:9603
 nft_rcv_nl_event+0x4af/0x590 net/netfilter/nf_tables_api.c:9645
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 blocking_notifier_call_chain kernel/notifier.c:337 [inline]
 blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:325
 netlink_release+0xcb8/0x1dd0 net/netlink/af_netlink.c:785
 __sock_release+0xcd/0x280 net/socket.c:649
 sock_close+0x18/0x20 net/socket.c:1311
 __fput+0x288/0x920 fs/file_table.c:280
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
 exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:209
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888017d7bb40
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
 8-byte region [ffff888017d7bb40, ffff888017d7bb48)
The buggy address belongs to the page:
page:ffffea00005f5ec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17d7b
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00008586c0 0000000a0000000a ffff888010841280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 8491, ts 299936185923, free_ts 299936104203
 prep_new_page mm/page_alloc.c:2436 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4169
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5391
 alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2244
 alloc_slab_page mm/slub.c:1688 [inline]
 allocate_slab+0x32e/0x4b0 mm/slub.c:1828
 new_slab mm/slub.c:1891 [inline]
 new_slab_objects mm/slub.c:2637 [inline]
 ___slab_alloc+0x4ba/0x820 mm/slub.c:2800
 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2840
 slab_alloc_node mm/slub.c:2922 [inline]
 __kmalloc_node+0x2df/0x380 mm/slub.c:4156
 kmalloc_node include/linux/slab.h:614 [inline]
 __vmalloc_area_node mm/vmalloc.c:2849 [inline]
 __vmalloc_node_range+0x554/0x960 mm/vmalloc.c:2966
 __vmalloc_node mm/vmalloc.c:3015 [inline]
 vzalloc+0x67/0x80 mm/vmalloc.c:3085
 do_ip6t_get_ctl+0x615/0xa10 net/ipv6/netfilter/ip6_tables.c:816
 nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
 ipv6_getsockopt+0x1be/0x270 net/ipv6/ipv6_sockglue.c:1486
 tcp_getsockopt+0x86/0xd0 net/ipv4/tcp.c:4253
 __sys_getsockopt+0x21f/0x5f0 net/socket.c:2214
 __do_sys_getsockopt net/socket.c:2229 [inline]
 __se_sys_getsockopt net/socket.c:2226 [inline]
 __x64_sys_getsockopt+0xba/0x150 net/socket.c:2226
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1346 [inline]
 free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397
 free_unref_page_prepare mm/page_alloc.c:3332 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3411
 __vunmap+0x783/0xb70 mm/vmalloc.c:2587
 __vfree+0x3c/0xd0 mm/vmalloc.c:2635
 vfree+0x5a/0x90 mm/vmalloc.c:2666
 __do_replace+0x16b/0x890 net/ipv6/netfilter/ip6_tables.c:1116
 do_replace net/ipv6/netfilter/ip6_tables.c:1156 [inline]
 do_ip6t_set_ctl+0x90d/0xb90 net/ipv6/netfilter/ip6_tables.c:1638
 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1008
 tcp_setsockopt+0x136/0x24a0 net/ipv4/tcp.c:3657
 __sys_setsockopt+0x2db/0x610 net/socket.c:2170
 __do_sys_setsockopt net/socket.c:2181 [inline]
 __se_sys_setsockopt net/socket.c:2178 [inline]
 __x64_sys_setsockopt+0xba/0x150 net/socket.c:2178
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff888017d7ba00: 00 fc fc fc fc fb fc fc fc fc 00 fc fc fc fc 00
 ffff888017d7ba80: fc fc fc fc fb fc fc fc fc 00 fc fc fc fc 00 fc
>ffff888017d7bb00: fc fc fc 00 fc fc fc fc fa fc fc fc fc 00 fc fc
                                           ^
 ffff888017d7bb80: fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc
 ffff888017d7bc00: fc fa fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/08/08 02:48 net-next-old f9be84db09d2 6972b106 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in nft_table_lookup
* Struck through repros no longer work on HEAD.